Problems with MCP (can't find EOCD signature)

Julian Field MailScanner at ecs.soton.ac.uk
Thu May 25 11:57:05 IST 2006 

What are your MCP settings in your MailScanner.conf?

On 25 May 2006, at 11:18, Simon Annetts wrote:

> Ok, I spoke too soon.
> It fixes the problem with MCP checks but now breaks the virus  
> checking.
>
> If I send a message containing the eicar excerpt on its own it is  
> detected as a virus and blocked.
>
> If I send a message containing profanity, then the message is  
> marked as profane and delivered.
>
> If I send a message containing profanity and the eicar excerpt then  
> the profanity is detected but the virus is ignored and the
> message is sent containing the virus. Here's the log extract:
>
>
> May 25 12:37:25 mailhub1 MailScanner[24739]: New Batch: Scanning 1  
> messages, 1127 bytes
> May 25 12:37:25 mailhub1 MailScanner[24739]: Spam Checks: Starting
> May 25 12:37:28 mailhub1 MailScanner[24739]: MCP Checks: Starting
> May 25 12:37:29 mailhub1 MailScanner[24739]: Message  
> 1FjE9d-0006WH-3y from 10.4.4.20 (simon at ateb.co.uk) to marteg.com is  
> MCP,
> MCP-Checker (score=10, required 1, PROFANITY2 10.00)
> May 25 12:37:29 mailhub1 MailScanner[24739]: MCP Checks: Found 1  
> MCP messages
> May 25 12:37:29 mailhub1 MailScanner[24739]: MCP Actions: message  
> 1FjE9d-0006WH-3y actions are deliver
> May 25 12:37:29 mailhub1 MailScanner[24739]: Virus and Content  
> Scanning: Starting
> May 25 12:37:30 mailhub1 MailScanner[24739]: Uninfected: Delivered  
> 1 messages
> May 25 12:37:30 mailhub1 MailScanner[24739]: Batch (1 message)  
> processed in 5.51 seconds
>
>
> It seems to me that once mcp has had the message it passes it on to  
> the next stage blank, so breaking any further analysis?
>
> Regards
> Simon
>
>
>
> ----- Original Message -----
> From: "Simon Annetts" <simon at ateb.co.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Thursday, May 25, 2006 11:04 AM
> Subject: Re: Problems with MCP (can't find EOCD signature)
>
>
> Thanks!
> That fixes it, but it is a work around. It would of course be  
> better to reject profane mail before virus and spam checking to reduce
> overheads, but I can live with this for now. If I get time I'll dig  
> into to the code to see why the mcp part fails to deliver or
> pass on the message to the next check.
> Thanks again for your prompt reply, I've only just joined the list  
> so missed the previous post.
>
> Kind regards
> Simon
>
>
> ----- Original Message -----
> From: "Dhawal Doshy" <dhawal at netmagicsolutions.com>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Thursday, May 25, 2006 10:43 AM
> Subject: Re: Problems with MCP (can't find EOCD signature)
>
>
> Simon Annetts wrote:
>> Hi
>> I've just got mailscanner 4.54.4 working and I am trying to get  
>> mcp to work.
>>
>> I'm using it with exim with two queues and two configs.
>> All works fine for virus and spam scanning.
>> However now mcp is enabled if a profane email arrives and is  
>> caught by
>> mcp it never reaches the exim out queue it just disappears into a  
>> black
>> hole.
>
> The EOCD error is a harmless one and can be safely ignored.. as for  
> the
> MCP thing a few days back it was suggested to use this:
>
> First Check = spam
>
> HTH,
> - dhawal
>
>> spamassassin -C ./mcp.spam.assassin.prefs.conf --lint
>> shows no errors
>>
>> maillog shows the message being correctly detected:
>>
>> May 24 19:30:11 mailhub1 MailScanner[30746]: New Batch: Scanning 1  
>> messages, 1054 bytes
>> May 24 19:30:11 mailhub1 MailScanner[30746]: MCP Checks: Starting
>> May 24 19:30:12 mailhub1 MailScanner[30746]: Message  
>> 1Fiy7X-00082t-0U from 10.4.4.20 (simon at ateb.co.uk) to marteg.com  
>> is MCP,
>> ecker (score=10, required 1, PROFANITY2 10.00)
>> May 24 19:30:12 mailhub1 MailScanner[30746]: MCP Checks: Found 1  
>> MCP messages
>> May 24 19:30:12 mailhub1 MailScanner[30746]: MCP Actions: message  
>> 1Fiy7X-00082t-0U actions are deliver
>> May 24 19:30:12 mailhub1 MailScanner[30746]: Spam Checks: Starting
>> May 24 19:30:19 mailhub1 MailScanner[30746]: Virus and Content  
>> Scanning: Starting
>> May 24 19:30:21 mailhub1 MailScanner[30746]: Uninfected: Delivered  
>> 1 messages
>> May 24 19:30:21 mailhub1 MailScanner[30746]: Batch (1 message)  
>> processed in 9.55 seconds
>>
>> but exim main.log just shows:
>>
>> 2006-05-24 19:30:11 1Fiy7X-00082t-0U <= simon at ateb.co.uk  
>> H=purple.marteg.com (purple) [10.4.4.20] P=smtp S=718 id=025101c67f4
>> a70$1404040a at purple
>> 2006-05-24 19:30:21 1Fiy7X-00082t-0U Completed
>>
>> instead of the usual in <= and out => parts of the message delivery.
>>
>> There is nothing in quarantine.
>>
>> I've done a find / -name "1Fiy7X-00082t-0U*" and the message is  
>> nowhere
>> on the disk!
>> If I run mailscanner in debug mode I get the following excerpt which
>> seems to indicate the mcp check died with the error 'format error:  
>> can't
>> find EOCD signature'
>>
>> What does this mean and how do I fix it??
>>
>> [23556] dbg: message: decoding other encoding type (7bit), ignoring
>> [23556] dbg: check: running tests for priority: 0
>> [23556] dbg: rules: running header regexp tests; score so far=0
>> [23556] dbg: rules: running body-text per-line regexp tests; score  
>> so far=0
>> [23556] dbg: rules: ran body rule PROFANITY2 ======> got hit: "w*nk"
>> [23556] dbg: uri: running uri tests; score so far=10
>> [23556] dbg: rules: running raw-body-text per-line regexp tests;  
>> score so far=10
>> [23556] dbg: rules: running full-text regexp tests; score so far=10
>> [23556] dbg: check: is spam? score=10 required=5
>> [23556] dbg: check: tests=PROFANITY2
>> [23556] dbg: check: subtests=
>> Ignore errors about failing to find EOCD signature
>> format error: can't find EOCD signature
>>  at /usr/sbin/MailScanner line 781
>> Stopping now as you are debugging me.
>>                                                            [  OK  ]
>>
>>
>> Thanks in advance
>> Simon
>>
>>
>> -- 
>> This message has been scanned for viruses and
>> dangerous content by *MailScanner* <http://www.mailscanner.info/>,  
>> and is
>> believed to be clean.
>>
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the MailScanner mailing list